Add DNS resolver

diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 9d32bb3196d9b2630bf7505685794675dda0adae..3e346d46e60dbd76dd10dbe165309d4c5e10272f 100644 (file)
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -36,6 +36,7 @@
       ./modules/task
       ./modules/irc
       ./modules/buildbot
+      ./modules/dns
     ];
     services.myGitolite.enable = true;
     services.myDatabases.enable = true;

diff --git a/nixops/modules/dns/default.nix b/nixops/modules/dns/default.nix
new file mode 100644 (file)
index 0000000..b5187a8
--- /dev/null
+++ b/nixops/modules/dns/default.nix
@@ -0,0 +1,122 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+{
+  config = let
+    cfg = config.services.bind;
+    configFile = pkgs.writeText "named.conf" ''
+      include "/etc/bind/rndc.key";
+      controls {
+        inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
+      };
+
+      acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
+      acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} };
+
+      options {
+        listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} };
+        listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} };
+        allow-query { cachenetworks; };
+        blackhole { badnetworks; };
+        forward first;
+        forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} };
+        directory "/var/run/named";
+        pid-file "/var/run/named/named.pid";
+        ${cfg.extraOptions}
+      };
+
+      ${cfg.extraConfig}
+
+      ${ lib.concatMapStrings
+          ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }:
+            ''
+              zone "${name}" {
+                type ${if master then "master" else "slave"};
+                file "${file}";
+                ${ if lib.lists.length slaves > 0 then
+                  ''
+                    allow-transfer {
+                      ${lib.concatMapStrings (ip: "${ip};\n") slaves}
+                    };
+                  '' else ""}
+                ${ if lib.lists.length masters > 0 then
+                  ''
+                    masters {
+                      ${lib.concatMapStrings (ip: "${ip};\n") masters}
+                    };
+                  '' else ""}
+                allow-query { any; };
+                ${extra}
+              };
+            '')
+          cfg.zones }
+    '';
+  in
+    {
+    networking.firewall.allowedUDPPorts = [ 53 ];
+    networking.firewall.allowedTCPPorts = [ 53 ];
+    services.bind = {
+      enable = true;
+      cacheNetworks = ["any"];
+      configFile = configFile;
+      extraOptions = ''
+        allow-recursion { 127.0.0.1; };
+        allow-transfer  { none; };
+
+        notify-source    ${myconfig.env.servers.eldiron.ips.main.ip4};
+        notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6};
+        version   none;
+        hostname  none;
+        server-id none;
+        '';
+      zones = with myconfig.env.dns;
+        assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) == ".";
+        assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) == ".";
+        (map (conf: {
+          name = conf.name;
+          master = false;
+          file = "/var/run/named/${conf.name}.zone";
+          masters = if lib.attrsets.hasAttr "masters" conf
+            then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters)
+            else [];
+        }) slaveZones)
+        ++ (map (conf: {
+          name = conf.name;
+          master = true;
+          extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else "";
+          slaves = if lib.attrsets.hasAttr "slaves" conf
+            then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves)
+            else [];
+          file = pkgs.writeText "${conf.name}.zone" ''
+              $TTL 10800
+              @ IN SOA ${soa.primary} ${soa.email} ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl}
+
+              ${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))}
+
+              ${conf.entries}
+
+              ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then ''
+              mail IN A     ${myconfig.env.servers.immaeEu.ips.main.ip4}
+              ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA  ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)}
+              ${lib.concatStringsSep "\n\n" (map (e:
+              let
+                n = if e.domain == "" then "@" else "${e.domain}  ";
+                suffix = if e.domain == "" then "" else ".${e.domain}";
+              in
+              ''
+              ; ------------------ mail: ${n} ---------------------------
+              ${if e.receive then "${n} IN MX 10 mail.${conf.name}." else ""}
+
+              ; Mail sender authentications
+              ${n}                   IN TXT  "v=spf1 mx ~all"
+              _dmarc${suffix}              IN TXT  "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster@immae.eu; ruf=mailto:postmaster@immae.eu;"
+              ${if e.send then ''
+              immae_eu._domainkey${suffix} IN TXT  ( "v=DKIM1; k=rsa; s=email; "
+                        "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF"
+                        "0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" )
+              '' else ""}
+              '') conf.withEmail)}
+              '' else ""}
+            '';
+          }) masterZones);
+    };
+  };
+}